- From: Daniel W. Connolly <connolly@beach.w3.org>
- Date: Wed, 20 Dec 1995 13:27:49 -0500
- To: Mike Meyer <mwm@contessa.phone.net>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
In message <19951212.79A6B78.8840@contessa.phone.net>, Mike Meyer writes: > >Yes, having ".." (or "") as a path component creates interesting >problems in writing relative URLs, and is probably a bad idea on any >server. Yes, an attempt to access "../../../../etc/passwd" is probably >someone trying to break into the system. However, it's up to the >people running the server, not the spec, to decide what is and is not >a security problem and deal with them. It _is_ "up to the spec" to make implementors aware of such issues. That's why SECURITY CONSIDERATIONS is mandatory in all RFCs, no? (I agree that returning 403 on seeing /../ is a should, not a must) Dan
Received on Wednesday, 20 December 1995 10:31:45 UTC